HFM - Security refresh possible?

Hi all,
we are currently facing an issue at a client concerning HFM 11.1.2.0. We are using HFM API to load a new security file into an application. This works quite well – the only
problem is that logged-on users still have their old security permission until they re-logon. Do you know a way to enforce a security “refresh” in HFM without having the need for users to re-logon to
an application?
I really appreciate your help!
Regards Sebastian

Hi,
nope, a log off and log on is required. If you fear that your users don't log out, you can log them out centrally through administration --> Users on System

Similar Messages

  • HFM security refresh

    - Changed the value of attribute ID (objectGUID to CN) in user directory MSADAM in shared services
    - Restarted services
    - executed updateNativeDir.bat and CssImport.bat importexport.properties
    80% of the users are able to access HFM.
    This is system 9.3.3 used mainly used for HFM.
    Has anyone run into this issue and know to resolve?

    Hi,
    nope, a log off and log on is required. If you fear that your users don't log out, you can log them out centrally through administration --> Users on System

  • HFM Security Issue - User can submit a journal by by-passing the approval step even though they are not an admin.

    Hi All,
    I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
    The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
    If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
    input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
    "User does not have the access right to perform this journal task"
    The options I have thought for a workaround are as follows:
    1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
    2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
    Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
    We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
    they are:
    1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
    2.   2. A data reviewer (who approves journals)
    The process is as follows:
    1.       1. Logon as Data inputter to submit the journals
    2.       2. Logon as Data reviewer to approve the journals
    3.       3. Logon as Data inputter to post the Journals
    We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
    but once it comes back to step 3, we get an error as follows:
    "User does not have the access right to perform this journal task"
    (This error comes about when the access control on custom 4 is set to None, Read, Promote)
    Custom 4 Access Rights looks as follows:
    C4_ADJ01
    C4_ADJ02
    C4_ADJ03
    C4_ADJ04
    HFMDefault
    Read
    Read
    Read
    Read
    HFMLoad
    All
    Promote
    None
    Read
    HFMReview
    Read
    All
    All
    All
    When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
    For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
    Roles for the groups that users assigned look like the following:
    Test User Name
    Test User Name
    Access Rights
    1
    Base Data input/Journal Data input
    test_HFMLoad
    Reviewer 1
    Review Supervisor
    Create Journals
    Read Journals
    Database Management
    Enable write back in Web Grid
    Load Excel Data
    Generate Recurring
    Post Journals
    Create Unbalanced Journals
    Manage Templates
    Data Form Write Back from Excel
    Consolidate
    2
    Data Reviewer
    test_HFMReview
    Reviewer 1
    Review Supervisor
    Create Journals
    Read Journals
    Database Management
    Approve Journals
    Consolidate
    Reviewer 2
    Generate Recurring
    Manage Templates
    Create Unbalanced Journals
    Any help or advice would be much appreciated.
    Thanks in advance,
    M.

    Hi All,
    I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
    The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
    If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
    input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
    "User does not have the access right to perform this journal task"
    The options I have thought for a workaround are as follows:
    1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
    2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
    Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
    We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
    they are:
    1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
    2.   2. A data reviewer (who approves journals)
    The process is as follows:
    1.       1. Logon as Data inputter to submit the journals
    2.       2. Logon as Data reviewer to approve the journals
    3.       3. Logon as Data inputter to post the Journals
    We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
    but once it comes back to step 3, we get an error as follows:
    "User does not have the access right to perform this journal task"
    (This error comes about when the access control on custom 4 is set to None, Read, Promote)
    Custom 4 Access Rights looks as follows:
    C4_ADJ01
    C4_ADJ02
    C4_ADJ03
    C4_ADJ04
    HFMDefault
    Read
    Read
    Read
    Read
    HFMLoad
    All
    Promote
    None
    Read
    HFMReview
    Read
    All
    All
    All
    When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
    For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
    Roles for the groups that users assigned look like the following:
    Test User Name
    Test User Name
    Access Rights
    1
    Base Data input/Journal Data input
    test_HFMLoad
    Reviewer 1
    Review Supervisor
    Create Journals
    Read Journals
    Database Management
    Enable write back in Web Grid
    Load Excel Data
    Generate Recurring
    Post Journals
    Create Unbalanced Journals
    Manage Templates
    Data Form Write Back from Excel
    Consolidate
    2
    Data Reviewer
    test_HFMReview
    Reviewer 1
    Review Supervisor
    Create Journals
    Read Journals
    Database Management
    Approve Journals
    Consolidate
    Reviewer 2
    Generate Recurring
    Manage Templates
    Create Unbalanced Journals
    Any help or advice would be much appreciated.
    Thanks in advance,
    M.

  • Monitoring HFM security

    I am using Hyperion 11.1.2.1. and want to monitor some HFM security.
    Is there any way we can find that :
    how many number of users are currently accessing a particular HFM Application and can identify them with their user-details and login-details whenever required ?
    how many number of users are currently accessing the whole HFM Application(Schema) and can identify them with their user-details and login-details whenever required ?
    -----Sunny

    Hi Sunny,
    As the subject was about HFM Security i have given you the query or details which i was aware about HFM.
    1.I mean to say for the tables i have listed in the query there are other columns as well so if you want to get more details then you can select which are all the columns you would require and add them accordingly in the query.
    2.Yeah its possible to get the details about user connected to application even. here is the query you need to change for this as below
    select h.sservername,h.sappname,s.susername,to_char((to_date('01/1900','MM/YYYY')+h.dstarttime-2),'DD/MM/YYYY hh24:mi:ss'),h.lactivitycode,h.sactivitydesc
    from hsv_users_on_system h,hsv_activity_users s
    where h.luserid in s.luserid
    order by sservername
    Also as you were asking for Historical/past login times & details here is the below query which will help you in analysing the things better with activity they did and time they logged in and carried out activity.
    select g.servername,g.appname,to_char((to_date('01/1900','MM/YYYY')+g.starttime-2),'DD/MM/YYYY hh24:mi:ss'),to_char((to_date('01/1900','MM/YYYY')+g.endtime-2),'DD/MM/YYYY hh24:mi:ss'),g.strdescription,s.susername
    from Appname_task_audit g,hsv_activity_users s
    where g.activityuserid in s.luserid (optional if you want to search excluding admin id then you can add this line to existing query at the end [and s.susername not like '%admin%'])
    As the audit logs are specific to applications you need to replace "appname" in the query with your application name for which you wanted to check audit.
    Ex: if your application name is abcd then your query should be something like this
    select g.servername,g.appname,to_char((to_date('01/1900','MM/YYYY')+g.starttime-2),'DD/MM/YYYY hh24:mi:ss'),to_char((to_date('01/1900','MM/YYYY')+g.endtime-2),'DD/MM/YYYY hh24:mi:ss'),g.strdescription,s.susername
    from abcd_task_audit g,hsv_activity_users s
    where g.activityuserid in s.luserid (optional if you want to search excluding admin id/any specific user  then you can add this line/change  existing query at the end [and s.susername not like '%admin%'])
    Hope this helps !!!!
    Thanks
    Amith

  • Security refresh in Planning

    I have a Planning application where security gets cleared and re-established every night. Sometimes the refresh takes as little as eight minutes and sometimes over an hour (68 minutes). Does anybody now why that would be? There aren't many users on the system, if any, when this security refresh is being run. thx

    Some things to check on... Does your refresh process include a metadata refresh / Essabse restructure? Are you regenerating Essbase security filters or only import of Planning object and metadata security? I would check for resource conflicts on your database server and possibly your Essbase server. Are there any scheduled batch jobs or backup jobs that might be holding up your refresh?

  • Autometic planning security refresh is not refreshing the security filters

    Hi Friends,
    We are using Hyperion planning system 9.3.1. While refreshing the planning security through automated script its not getting refreshed the security filters. In log its showing filter refreshed successfully but actually it’s not refreshing the filters. But when we are doing it manually from planning web its working fine. One more thing we are doing security refresh on daily basic as per business request. So daily its dropping the filters we refreshed manually from planning web.
    we are using the below scripts:
    CALL G:\Hyperion\Planning\bin\CubeRefresh.cmd /A:application_name /U:user_name /P:password /R /FSV /DEBUG >> In\Log\Refresh_HPOPROD.log
    Any help will be appreciated.
    Thanks,

    I guess you are missing /D

  • Security Refresh for Users in the Group

    Hi John,
    I assigned an user with Analytic services admin privileges in the shared services. After the refresh security from shared services through EAS console, I clicked on security and clicked on users. I could able to see that user as an administrator(user type).
    But when i assigned the same analytic services admin privileges at the group level, all the users in that group are
    not showing as administrators in the EAS console after security refresh.(showing as user instead of administrator).
    Can you explain why?
    Thanks.

    Hi,
    If you look at the group in EAS then it should be displayed as administrator, then all the users assigned to that group will take on the administrator privileges.
    It will not show each user as as administrator just as a user that is the way it works.
    Cheers
    John
    http://john-goodwin.blogspot.com/

  • Security Refresh of Shared Services Failing 11.1.1.3

    I executed a manual refresh of SS security in EAS after provisioning a new externally authenticated user and the refresh failed. I researched the issue in the log files, and the automatic daily refresh I have set to run via the config file has been failing since the last recycle of services (complete stop and start of services from reliable scripts).
    Oracle suggested I stop and restart certain services including a longer pause between SS and EAS/Essbase to resynch Essbase and Shared Services. This did not work, neither did a complete stop, reboot, restart.
    I'm approaching desperation, I cannot provision new users in a production environment...
    There are no other symptoms. All users are externally authenticated in the AD, and they are not experiencing any login problems at all. Users have changed their p/w even locked out their accounts and and had them unlocked.
    I'm attaching some log file snippets. I would greatly appreciate your insight.
    Failure message:
    Essbase failed to get roles list for [ESB:Analytic Servers:CORPESS:1] from Shared Services Server with Error [32:1062:Failed to connect to the user directory [Cabot2, Cabot].]
    From SharedServices_Security_Client.log after services restarted:
    2010-09-23 07:12:19,531 INFO [main] Got native directory location from Registry:corpfs.cabotog.com:28089 com.hyperion.css.registry.RegistryManager.getNativeProviderLocationFromRegistry(Unknown Source)
    2010-09-23 07:12:19,531 INFO [main] URL constructed out of values in Registry database:ldap://corpfs.cabotog.com:28089/dc=css,dc=hyperion,dc=com com.hyperion.css.common.configuration.CSSConfigurationImplXML.initConfiguration(Unknown Source)
    2010-09-23 07:12:21,062 ERROR [Thread-3] 27:1062:Failed to connect to the user directory Cabot2.[Root Cause: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
         'OU=Corp,DC=cabotog,DC=com'
    ] ] com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool.getBorrowObject(Unknown Source)
    2010-09-23 07:12:21,062 ERROR [Thread-4] 27:1062:Failed to connect to the user directory Cabot.[Root Cause: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
         'OU=Corp,DC=cabotog,DC=com'
    ] ] com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool.getBorrowObject(Unknown Source)
    2010-09-23 07:12:21,062 ERROR [Thread-3] 60:1101:JNDI error.[Root Cause: 27:1062:Failed to connect to the user directory Cabot2. ] com.hyperion.css.spi.impl.msad.JNDIHelper.getURLContext(Unknown Source)
    2010-09-23 07:12:21,062 ERROR [Thread-4] 60:1101:JNDI error.[Root Cause: 27:1062:Failed to connect to the user directory Cabot. ] com.hyperion.css.spi.impl.msad.JNDIHelper.getURLContext(Unknown Source)
    2010-09-23 07:12:21,062 WARN [Thread-3] Failed to update Cache for provider Cabot2[Root Cause: 60:1101:JNDI error. ] com.hyperion.css.spi.impl.msad.MSADCacheUpdater.refreshProviderCache(Unknown Source)
    2010-09-23 07:12:21,062 WARN [Thread-4] Failed to update Cache for provider Cabot[Root Cause: 60:1101:JNDI error. ] com.hyperion.css.spi.impl.msad.MSADCacheUpdater.refreshProviderCache(Unknown Source)

    We are using 11.1.1.3. We had the same issue you described. External users could login to all applications, but all security refreshes failed (in both EAS and Planning) with the failure error in your original post. The patch our consultant applied was "Shared Services Service Fix 11.1.1.3.06" per Oracle support. The following entries in our SS client log are what prompted Oracle's remedy (after several weeks of escalation):
    2010-09-24 15:01:38,110 ERROR [Thread-54] 27:1112:Failed to connect to <ldapserver> at <portnumber>. com.hyperion.css.spi.impl.ldap.LDAPProvider.isAvailable(Unknown Source)
    2010-09-24 15:01:38,110 ERROR [Thread-54] The folowing providers are not initialized, check configuration [ED] com.hyperion.css.spi.CSSManager.pingConfiguredProviders(Unknown Source)
    2010-09-24 15:01:38,110 ERROR [Thread-54] 32:1062:Failed to connect to the user directory <ldapdirectory>. com.hyperion.css.spi.CSSManager.pingConfiguredProviders(Unknown Source)
    2010-09-24 15:01:38,110 DEBUG [Thread-54] getRolesListForEntries() failed : [43842 ms]
    Edited by: 799357 on Oct 4, 2010 12:33 PM
    Edited by: 799357 on Oct 4, 2010 12:38 PM

  • HFM Security Class Java API

    Dear All,
    I'm trying to get HFM Security Class info using Java APIs. Recently I was able to connect to the Hyperion Shared Services using the hyperion css.jar java file. Is there a similar jar to access the Security classes and get users, groups and vice versa?
    Any examples would be great as well.

    Thanks for the reply. I was hoping this was not the case...
    In 9.2 I used these objects but I was hoping to move away from this and use provided API's.
    I'm using c# to talk to the object which I expose to java using web services so I guess that is what I'll be using!!!
    Cheers,

  • HFM Security Class and Security

    Hi All my Peers,
    Can any one explain me What is the difference between Security Class and Security

    No offense, but if you don't understand these concepts well enough, your CV should probably be sent a far distance if you are trying to get an experienced consulting position. Understanding security is an important piece to the puzzle, especially when dealing with large amounts of financial data.
    With that said.......
    Security - Generally speaking, the goal of security is to control access to data, objects, programs, etc. In the Hyperion sense, security is managed in multiple different ways :
    - Program Access : Only users who are linked to Hyperion's Shared Services AND have the proper provisioned rights can open a program. (i.e. HFM, Reports, Workspace, FDM, etc, etc, etc.)
    - Provisioning : There are different types of rights per program that a user can have. Provisioning is the act of assigning these rights. (i.e. HFM has multiple rights such as Appliation Administrator, Default, Provisioning Manager, etc.)
    - Data / Object Access : Even if you have the right to enter the program, there is generally another layer of security which controls what you can do. For instance, inside of HFM, you can configure security for objects such as Data Forms and Data Grids. Furthermore, you can limit the user's ability to change or view data for specific entities, accounts, as well as other dimensions.
    - Security Classes : The security classes that you assign in the metadata are used during the act of assigning the Data / Object access controls. Users (and Groups) and assigned View Only, All (Read/Write), or None access to HFM Security Classes.
    This is a ridiculously high level overview. To get a much better understanding, I strongly recommend that you read the product documentation for the specific products you are using. If you are using 11.1.2.1 / HFM, here are a couple of documents that are of value :
    http://docs.oracle.com/cd/E17236_01/epm.1112/hfm_admin.pdf - Administrators guide which has a section on security.
    http://docs.oracle.com/cd/E17236_01/epm.1112/hfm_user.pdf - Users' guide which talked to security in terms of forms/ grids
    General System 11 doc : http://docs.oracle.com/cd/E17236_01/nav/portal_5.htm
    Hope that helps

  • HFM Security Access

    I have a query on HFM security which I have got from the business.
    1)     Change Doris and Jeanie access to read/display only in HFM production. We should have access to display all data in HFM. – I was not sure which access should I give to get this requirement.
    2)     In Process Management, Please provide “Start”, “Signoff”, “Approve”, “Reject”, “Publish” in process management for Rob Sage, Debbie Indrieri and Doris Lai. Also, Please provide “Promote” and “Submit” Access to Elisa Ha and Jaime Akiyama. – Shall I give Review Supervisor for Rob Sage, Debbie and Doris for this access and not sure which one should I give for Elisa and Jaime.
    Kindly help me in this regards.

    I don't use process management so I will not attempt to answer that part of your question.
    In regards to the first part, you need to go into Shared Services and assign those users the Read permission for the required security classes. For instance, if all entities are tied to a class called ALLENTITIES, you could go into Shared Services, click on projects, click on the project that holds your application, and then click on the application you are managing. Then you would search for the users/groups in question and add them to the selected list, next you would select the classes you want to assign them access to (i.e. ALLENTITIES). On the next screen you will see a grid with users/groups and classes. Go to the cells and set the Access Rights to read. (Be sure to hit the SAVE button when done)
    Alternatively, you can do a security extract from the application, make the updates in the security file, and load that back to the system.

  • Automate HFM Security extract?

    Hi,
    HFM Security can be extracted in below methods
    1. In workspace > Extract Tasks> Extract Security
    2. In Shared service > Application Groups > Rt Click on App Name> Assign Access control > Security Reports
    Please let me know if any another ways to Extract security reports.
    Can we make Automate the "extracting security reports"?
    Thanks in Advance.
    Regards,
    AVSR

    Overview: create a migration definition file for HFM (migrating what information you need, in your case it would be security)... save the file, don't execute. Using cmd prompt, run the LCM utility.bat, supplying it with the information needed as well as the migration file. Automate it by creating a batch file to run your migration file and the utility. Schedule the batch file in task scheduler and it will run whenever needed.
    Search for it on the oracle knowledgebase. Theres a lot of info on LCM there.

  • HFM Security Report Automation?

    Is there a way to automate the running of the HFM (Hyperion Financial Management) Security Report in Shared Services.?
    version: 11.1.2.0
    Is this possible with using Task Automation? ---> If yes please provide details
    If this possible using other reporting tools like HFR, web analysis..etc ---> This is not recommended
    If any other way, Please provide details.
    Thanks All!!
    Regards,
    AVSR

    I think the best way to produce custom security files is using the HFM API. You can use this to report on group memberships and roles and class access. You can read all about it in the Web Developer's Guide Chapter 10. The chapter starts:
    The HFMwSecurity type library contains the HFMwSecurity component. This component
    provides methods that enumerate an application’s security classes, indicate whether a user has
    rights to perform a given task, and return other types of security information.
    I have seen these used to great effect.

  • HFM Security Access Edit Logs - Audit

    I have been asked by our internal audit group to provide logs of when users access within HFM have been edited (i.e. added, changed roles, added to groups, etc.). Is there anyone else that has received this request, and more importantly how have you met this request (logs in the system, etc)?
    The only way I have been able to track this is offline via spreadsheets.
    Any/all advice is appreciated.
    Thanks.
    LJ
    Edited by: user8357096 on Mar 23, 2010 7:28 AM

    I have had a couple clients ask for something like this. At least now with user provisioning you can get reports of what the security was, like a snapshot. Then compare it to another time. But this will only tell you part of the story. If you are using groups for example, it possible a user gets added to one group then removed. You would not have access to that change in HFM, it would keep no record of it.
    I would recommend taking and extract and report and archiving them to reference.

  • Has anyone had issues with Planning security refreshing in Essbase

    I am on Planning version 9.3.0.1 and we are having issues with planning users being able to use an essbase connection to pull data from smartview. They are able to see data in web forms in planning but they get #no access when they try to connect to the same data in smartview.
    Has anyone else experieced this issue.

    If user works when you provision individually its because they were set in the environment in EAS.
    group has to have all the access needed (bug in orig). css file open a ticket for the file name. example user needs calc access you setup calc but bug in system is not also giving user read and write access. Thus you can individually add this to the group in provisioning area in shared services. in EAS goto File open- editors create/run script with
    alter user 'userID' Add application_access_type Planning;
    alter user 'userID' add application_access_type Essbase; to add user to the environment if error you need to refresh eas first then run maxl script for planning you also need to go to workspace and select any of your dimensions all your groups ...edit .. migrate identities.. to get group/Users in planning wether adding or removing users. when you do planning changes you need to do database and security filters refresh.

Maybe you are looking for

  • Two Airport Extremes no longer working in tandem to extend network

    Trouble has cropped up with my home network, I think dating back to the installation of Leopard (though I'm not sure about that). I have been using two Airport Extreme (both 802.11n) to extend my wireless network throughout the house. For some reason

  • Record HDTV from cable box

    I have an EyeTV 250 which I have used for years to record (using the EyeTV software) the analog signal my cable system (TWC) provided. The cable company recently switched to all-digital, but provided digital-to-analog converters to anyone who didn't

  • Forced landscape rotation problem

    Hi all, like many others im having problems implementing forced landscape rotation. My app allows a user to select/take a photo. If the photo was taken in landscape orientation then I force the user to view it in landscape orientation. I have finally

  • Cannot create new project

    when i try to create a new project, i get an error message that says "cannot create project. Please check the disk to ensure there is enough free space and you have permission to write projects. " what gives?

  • Reg:Rows display in Table Control

    Dear All,          I created a Table Control which is displaying 30 rows in the initial screen.But my requirement is to display up to 200 rows in the initial screen itself how can it be done??